[dmarc-ietf] What bad stuff can a broken DMARC record cause?

John R Levine <johnl@taugh.com> Sun, 24 April 2022 18:37 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422453A14FE for <dmarc@ietfa.amsl.com>; Sun, 24 Apr 2022 11:37:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=JDOSqnQx; dkim=pass (2048-bit key) header.d=taugh.com header.b=F8/5+PsV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qz-z3XKA0IJA for <dmarc@ietfa.amsl.com>; Sun, 24 Apr 2022 11:37:45 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ECB53A14FD for <dmarc@ietf.org>; Sun, 24 Apr 2022 11:37:44 -0700 (PDT)
Received: (qmail 75372 invoked from network); 24 Apr 2022 18:37:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type; s=1266a.626598f6.k2204; bh=7Q9vpFBOubtdE9hvRjwafw3TUmNNCpkeL9OVXdwOCII=; b=JDOSqnQxHyEa+zrMnwh2bxoLjCrBvRmKE5egvqpstMr5oy+ZcTVs9+vMo0hlbYFIOIBMlbCs5u1FRR7qrsuASYN4AjpfzYZ4mq9WORf8J0MbzPHeXY9VSzqrA6sJH5BuPBZe4xu9zwKQzg5/fiWT77IpdWuVpFaUNf7o3rGs85OPSV56JQF5gPKCMhvPeKX8yYr+Cdmaij6HbGsekT9zUAqRdjc1QmePdOniYJM6nMv/4v//YcMwQhDQL6uT5/DPlSMg3NlcJ6Fjw6u1oAbir6B5qEg4OGHVYyvgXOZwMrwHjFl5z5sD1L4Ti5W9ejFc0oXWA1VYSmV9G1w+ou8j3A==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type; s=1266a.626598f6.k2204; bh=7Q9vpFBOubtdE9hvRjwafw3TUmNNCpkeL9OVXdwOCII=; b=F8/5+PsVJ4TySaVXh4+UZUaLtuyqTYOSX9rPRYtpRTBcHXR2nbnwUoHq5jeRwrs0rwbwqBjFtgSJRzfcy6nLZq0xqdmOuMox60CfQnPwRIr9ZRUlO6YUR3metTiZFp0CZ49A7ykQUyQ+Z/amOuAwxuDu4BndUtR8Ctf2lwTUp7Olj1SsDbG9TOjoTz4jGFHHpfrBvASUgJUK6xAXDXQXN/x4SbQBSKz/95Cuzq0G5Z97NQJvTND8OzFITYBsmb5CeyVilwo8QorOPS1veFKyf6nkXF3CHheAQR3xa7TWKxQQfh6i/gLffUCYNsvm42cnS2uu7uT2ZhU1aWSg5VFM4Q==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 24 Apr 2022 18:37:42 -0000
Received: by ary.qy (Postfix, from userid 501) id 001F13E72414; Sun, 24 Apr 2022 14:37:41 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 7EF4E3E723F4 for <dmarc@ietf.org>; Sun, 24 Apr 2022 14:37:41 -0400 (EDT)
Date: Sun, 24 Apr 2022 14:37:41 -0400
Message-ID: <a0c64dd6-ef27-7d37-081d-5de566f23a01@taugh.com>
From: John R Levine <johnl@taugh.com>
To: dmarc@ietf.org
X-X-Sender: johnl@ary.qy
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/AAGa8mU6VBbvLHZhTgOq1fAjVcg>
Subject: [dmarc-ietf] What bad stuff can a broken DMARC record cause?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Apr 2022 18:37:51 -0000

Someone I know asked me what sort of bad things could happen if one 
published a broken DMARC record.  Obviously, if your record is bad people 
won't follow your policies and you won't get your reports, but anything 
else?  Have you ever heard of MTAs burping on a bad DMARC record?

I've looked at the C OpenDMARC and perl Mail::DMARC libraries and they 
both seem pretty sturdy: fetch a TXT record and if they find one, look for 
the tags they want and ignore everything else.

As an experiment, I added 32K of junk to the _dmarc.johnlevine.com TXT 
record and as far as I can tell, it's made no difference.  I still get the 
same reports saying the same things.  DNS libraries need to use TCP to 
fetch it but they all seem able to do that.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly